Fix net-misc/tlsdate for OpenSSL 1.1 |
|||
Issue descriptionWe are currently using a forked tlsdate (tlsdate-0.0.5-r49.ebuild): https://chromium.googlesource.com/chromiumos/third_party/tlsdate/ Latest upstream gentoo is tlsdate-0.0.13.ebuild: https://gitweb.gentoo.org/repo/gentoo.git/tree/net-misc/tlsdate/tlsdate-0.0.13.ebuild Latest upstream tlsdate is also the release of 0.0.13 - from May 29, 2015: https://github.com/ioerror/tlsdate/commit/ae396da167a9e43ce10c2db0956fb2e2b0d400ea There is still an open upstream issue (since Aug 31, 2016) to fix tlsdate for OpenSSL 1.1: https://github.com/ioerror/tlsdate/issues/190 Considering there hasn't been a patch committed to tlsdate in over 2 years, I don't think this will be fixed upstream any time soon, I guess we should fix locally for now, and offer a rebased pull request to github if possible.
,
Jun 24 2017
The compiler errors are mostly about directly accessing fields of OpenSSL types which are now opaque in OpenSSL 1.1. See https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes For example: src/proxy-bio.c:54:4: error: incomplete definition of type 'struct bio_st' [193/1663] b->init = 1; ~^ ../../../../../../usr/include/openssl/ossl_typ.h:79:16: note: forward declaration of 'struct bio_st' typedef struct bio_st BIO; ^ src/proxy-bio.c:55:4: error: incomplete definition of type 'struct bio_st' b->flags = 0; ~^ src/test-bio.c:116:12: error: variable has incomplete type 'BIO_METHOD' (aka 'struct bio_method_st') BIO_METHOD test_methods = ^ ../../../../../../usr/include/openssl/bio.h:243:16: note: forward declaration of 'struct bio_method_st' typedef struct bio_method_st BIO_METHOD; ^ src/tlsdate-helper.c:204:11: error: incomplete definition of type 'struct ssl_st' (ssl->state == SSL3_ST_CR_SRVR_HELLO_A || ssl->state == SSL3_ST_CR_SRVR_HELLO_B)) ~~~^ ../../../../../../usr/include/openssl/ossl_typ.h:144:16: note: forward declaration of 'struct ssl_st' typedef struct ssl_st SSL; ^ src/tlsdate-helper.c:204:22: error: use of undeclared identifier 'SSL3_ST_CR_SRVR_HELLO_A'; did you mean 'TLS_ST_CR_SRVR_HELLO'? (ssl->state == SSL3_ST_CR_SRVR_HELLO_A || ssl->state == SSL3_ST_CR_SRVR_HELLO_B)) ^~~~~~~~~~~~~~~~~~~~~~~ TLS_ST_CR_SRVR_HELLO ../../../../../../usr/include/openssl/ssl.h:869:5: note: 'TLS_ST_CR_SRVR_HELLO' declared here TLS_ST_CR_SRVR_HELLO, ^ src/tlsdate-helper.c:204:52: error: incomplete definition of type 'struct ssl_st' (ssl->state == SSL3_ST_CR_SRVR_HELLO_A || ssl->state == SSL3_ST_CR_SRVR_HELLO_B)) ~~~^ src/tlsdate-helper.c:243:21: error: incomplete definition of type 'struct evp_pkey_st' switch (public_key->type) ~~~~~~~~~~^ ../../../../../../usr/include/openssl/ossl_typ.h:93:16: note: forward declaration of 'struct evp_pkey_st' typedef struct evp_pkey_st EVP_PKEY; ^ src/tlsdate-helper.c:523:24: error: incomplete definition of type 'struct X509_extension_st' tmp = ext->value->data; ~~~^ ../../../../../../usr/include/openssl/x509.h:79:16: note: forward declaration of 'struct X509_extension_st' typedef struct X509_extension_st X509_EXTENSION; ^
,
Jun 24 2017
,
Jun 26 2017
Oh, also it looks like android maintains its own fork of tlsdate... https://android.googlesource.com/platform/external/tlsdate/
,
Jun 27 2017
Some more interesting history. (1) Part of the chromium os fork was actually merged into upstream as part of tlsdate-0.0.9. In particular the patches (excluding BACKPORTs) below were merged with [1], the patch before tlsdate-0.0.8. glo tlsdate-0.0.5..3db1d4182ee5a1dc191453d0e019ef773bfaf28b 3db1d41 CHROMIUM: Listen for SuspendDone D-Bus signal 29e6fc3 tlsdate: Allow explicitly disabling seccomp support fc78f7e Add tlsdated.conf to this package c8d3670 CHROMIUM: Allow larger continuity time jumps c45952f CHROMIUM: Initial work eventizing tlsdated [1] 9ff0c7b hard code subkey 0x1801A819 As of this moment, the following CHROMIUM patches are not yet merged upstream. e29f26e tlsdate: Avoid declaring vars in for-loop conditions. 27c3d79 tlsdate: Save user manually set time to disk 0d5a64f tlsdate: Use first proxy when multiple are supplied. 76dd49e tlsdate: Add tests for proxy-parsing code. 8ccda0f tlsdate: Use org.chromium.NetworkProxyService. 3eb1248 tlsdate: Simplify string constants. 78a898a tlsdate: Adding systemd service file. 0c4b13b FROMLIST: Enable TLS SNI 78a898a tlsdate: skip backoff periods on external events fb6fbcb tlsdated: make it -Werror clean 58967fe run_tlsdate.c: fix missing parameter 5175004 tlsdate: add SECCOMP_AUDIT_ARCH definition for MIPS At least two of these exist as either debian patches (5175004) or merge requests that have been pending for over a year (0c4b13b)... This makes me suspect upstream (github) tlsdate is not very actively maintained :-(. (2) The Android fork is 44 commits (excluding merges) based directly on top of the latest upstream commit (0.0.13): c339766 Do not depend on internals of the SSL state machine. 5a3de7f Don't reach into BoringSSL structs. 8e4be28 Fix mips64 build. ce31a91 Add MIPS little endian architectures and fix preprocessor indentation 75bc1ed tlsdate: prevent unnecessary rebuilds 46e11a8 Fix /data dir creation, 'tlsdated' service class. fa9e6d3 Remove verbose logging in 'tlsdated' and 'tlsdate'. e690a81 Use a dedicated UID/GID for unprivileged execution. 1632583 Remove 'seclabel' option. e9132c0 Make tlsdated persist and load last set time. 4a0ae01 Relocate a function to fix a build failure. 727698b Free memory for supplementary groups as soon as possible. 9451a04 Drop privileges to nobody:nobody, use supplementary groups as needed. aab9382 Support for dropping privileges with supplementary groups. 98fc05c Run tlsdated without DBus. 5dc2a43 Run tlsdated as root. e779a4e Check whether DBus is initialized before attempting platform init. b470cc1 Run as non-root; drop privileges to inet:inet. f73a0e4 Do not open a BIO on stdout. 6b0a934 Build tlsdate-helper in AOSP. 5f27bdd Better handling of EVP_PKEY types. 6b31c0f Stop using SSL BIO. 6198a2f Rename init.tlsdated.rc and tie it to the correct build target. 793a811 Add init.tlsdated.rc. c31964b Use a group name that actually exists. 4def354 More signed/unsigned comparison and function pointer fixes. 7a429cf Build tlsdated unit tests. e6832d3 Eliminate GNU old-style field initialization. ff3ade3 Properly handle legacy/new syscalls. 838d8b3 Properly handle legacy/new syscalls. a0f9aa3 Handle absence of BIO_CTRL_DUP. 9291850 Change an argument type to compile against BoringSSL headers. f1080e8 Build tlsdate and tlsdated in AOSP (resubmitted). 8a05aa5 Remove an unused #ifdef. de1c20a Use correct AUDIT_ARCH_ constants for mips32/64 and arm64. 49bc10a Fix another signed/unsigned comparison. b03c254 Remove unused variables. 90cf470 Remove an accidental semicolon and fix a typo. 5c103d4 Stop using preadv/pwritev. f162a32 Stop comparing signed and unsigned integers. 47194ce Remove src/common/android.{h,c}. ae3f677 Add copyright notices
,
Jun 27 2017
My conclusion here is there is to just fix the tlsdate fork in chromiumos for now: https://chromium-review.googlesource.com/#/c/549533/
,
Jun 27 2017
Agreed. |
|||
►
Sign in to add a comment |
|||
Comment 1 by djkurtz@chromium.org
, Jun 24 2017